RE: Security Wonks ate my hamster.

From: <fmhabash_at_gmail.com>
Date: Wed, 23 Mar 2016 11:28:19 -0400
Message-ID: <56f2b614.418e320a.2aaf4.ffff9696_at_mx.google.com>



I have also monkey’d around with HashiCorp Vault secret store. https://www.hashicorp.com/blog/vault.html . The issue that confronts me the most is how ready the enterprise is to formally adopt and institutionalize such solutions. There is going to be significant overhead in learning, maintenance, and architecture.

What I normally see are three distinct scenarios ….

1) Hierarchy- based mandates: were a directive comes from the top e.g. CIO/director, ‘we must get this done’. This is effective and sends everyone chasing their tail to get it done. 
2) Self-organizing / energizing teams: A group of people that internalize such needs and embrace the idea that ‘good is never good enough’. They learn fast, execute, and communicate effectively. It is hard to see such teams & individuals. 
3) Who cares. If not broken, do not fix it. These are places who have inserted plain-text passwords everywhere is scripts and config files for the entire life of the organization. Everyone knows about it, everyone knows it needs fixing, but no one is saying/doing anything i.e. no drive (internal or external). 



----------------------------------------
Thanks

From: John Piwowar
Sent: Wednesday, March 23, 2016 9:59 AM
To: rajendra.pande_at_ubs.com
Cc: howard.latham_at_gmail.com; oracle-l_at_freelists.org Subject: Re: Security Wonks ate my hamster.

Yup, that's a fair point, both about the analogy and the situation, thanks! 

It really comes down to whether the process is more thoroughly defined than, "passwords locked in that box over there." :-) I'm hoping the answer is yes. 

On Wednesday, 23 March 2016, <rajendra.pande_at_ubs.com> wrote: Well it depends is right ☺
 
“but I really wonder about about the motivation of taking the keys away from the guy entrusted to drive the bus.” With a lot of ongoing issues – staying with your analogy - the effort is NOT to take the keys of the bus – but make it such that the driver gets to have the keys when he needs to drive the bus and not have the keys all the time. Standing access vs break glass when you need it  
The question comes down to is how easy or cumbersome that process is  
 

-- 
Regards, 
John P.
(Typed with thumbs on a mobile device. Lowered expectations appreciated)



--
http://www.freelists.org/webpage/oracle-l
Received on Wed Mar 23 2016 - 16:28:19 CET

Original text of this message